Operational Risk and Resiliency is one of the six broad topics that GARP tests in its FRM Part 2 exam. This broad topic has 20% weight in the exam. This means out of 80 questions asked, you may expect 16 questions from this section. This area focuses on methods to measure and manage operational risk as well as methods to manage risk across an organization, including risk governance, stress testing, and regulatory compliance.
The broad knowledge points covered in Operational Risk and Resiliency include the following:
- Principles for sound operational risk management
- Risk appetite frameworks and enterprise risk management (ERM)
- Risk culture and conduct
- Analyzing and reporting operational loss data
- Model risk and model validation
- Risk-adjusted return on capital (RAROC)
- Economic capital frameworks and capital planning
- Stress testing banks
- Third-party outsourcing risk
- Risks related to money laundering and financing of terrorism
- Regulation and the Basel Accords
- Cyber risk and cyber resilience
- Operational resilience
There are twenty-six chapters or readings in this section. If you go through the GARP specified learning objectives (LOs) for this section, you will find the majority of the LOs are non-computational. As GARP generally asks tricky questions from the non-computational LOs, non-computational LOs are to be equally emphasized to score well in this section.
Let’s go through the essence of each of the twenty-six chapters or readings and identify the concepts that GARP might test on the exam day.
Chapter 1: Principles for the Sound Management of Operational Risk
This chapter addresses the principles of sound operational risk management as proposed by the Basel Committee on Banking Supervision. The committee recommends a three-lines-of-defence approach, including business line management, independent operational risk management, and independent reviews. The committee proposes that a bank should have a corporate operational risk function (CORF) proportionate to the size and sophistication of the banking organization.
On the exam day, GARP might test your understanding of the following:
- Eleven principles of operational risk management as outlined by the Basel Committee
- Specific responsibilities of the board of directors and senior managers as they relate to the eleven
- principles of operational risk management
- Critical components of the bank’s operational risk management framework documentation
- Features of an effective control environment
- Committee’s recommendations for managing technology and outsourcing risk
Chapter 2: Enterprise Risk Management: Theory and Practice
Enterprise risk management (ERM) refers to the process of managing all of a corporation’s risks within an integrated framework. This chapter talks about how ERM can be implemented in a way that allows a company to manage its total risk-return trade-off to execute its strategic plan better, gain a competitive advantage, and create shareholder value.
Important issues include why it may be optimal to hedge diversifiable risk and how to distinguish between core risks the firm should retain and noncore risks the firm should avoid. The determination of the optimal amount of corporate risk is critical. It is important to ensure that managers at all levels take proper account of the risk-return trade-off. For the exam, be thorough in understanding the framework for developing and implementing ERM.
Chapter 3: What is ERM?
Enterprise risk management (ERM), a relatively new concept, emerged as an alternative to the traditional approach to risk management under which each risk was assessed, managed, and mitigated in silos by a specific unit within the firm. This chapter discusses the concept and definitions of ERM, its benefits and costs, and the seven major components of ERM. The role of the chief risk officer can also be a key element in the implementation and accomplishment of the ERM program across the firm.
For the exam, be thorough with your understanding of the:
- Three motivations of the ERM program
- Seven components of a successful ERM program
Chapter 4: Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
This chapter emphasizes the risk appetite framework (RAF) and how it can be best used with a risk appetite statement for managing risk within the firm. The RAF is used in many activities and areas throughout the firm, impacting the firm’s risk culture.
On the exam day, GARP might test your understanding of the following:
- Challenges in implementing an RAF as well as the best practices in implementing and communicating an RAF
- Relationship between the RAF and the firm’s strategic and business planning processes
- Role of stress testing within an RAF
Chapter 5: Banking Conduct and Culture: A Permanent Mindset Change
The 2007–2009 financial crisis and continuing issues of wrongdoing have caused a severe dent in the reputation and trust of the banking industry. Banking scandals over the last decade have had a contagion effect on the entire industry in damaging public trust.
For the exam, you should be thorough with your understanding of the following:
- The critical challenge of changing the mindset of culture internally within banks for improving employee conduct and repair reputations
- The best practices, motivational factors, and challenges identified by supervisory authorities in changing bank conduct and culture
- The progress in changing cultures following the financial crisis and issues related to diversity, compensation, and staff development
- The priority of concerns for different countries and the most important recommendations suggested by the Group of Thirty (G30) 2015 and 2018 reports
Chapter 6: Risk Culture
Risk culture and corporate culture are entwined and closely related concepts. This chapter discusses these two issues separately and discusses how to measure them.
For the exam, focus on the following:
- What constitutes a strong risk culture?
- The challenges for organizations in attaining a strong risk culture
Chapter 7: OpRisk Data and Governance
This chapter covers the seven level-1 categories of operational risk (OpRisk) events defined in Basel II and provides level-2 examples of operational risk events for each category.
On the exam day, from this reading, GARP might test your understanding of:
- How the collection and reporting of loss data, the risk control self-assessment (RCSA), identification of key risk indicators (KRIs), and scenario analysis are all important elements of a firm’s OpRisk process
- The OpRisk profiles across various financial sectors with emphases on the highest frequency percentages and severity percentages
- The typical progression through four organizational risk designs for large firms
Chapter 8: Supervisory Guidance on Model Risk Management
This chapter talks about managing model risk from a bank’s perspective (or other financial institution).
For the exam, focus on the following:
- Definition of model risk and how to manage it
- The development and implementation of a model
- The details surrounding the three elements of a strong validation process
Chapter 9: Information Risk and Data Quality Management
This chapter covers a qualitative examination of data quality issues. Organizations must be cognizant of the risks involved in data issues and be able to identify ways to protect one of their most valuable resources, i.e., their data.
For the exam, your focus should be on:
- The important features of acceptable data
- Details regarding data quality scorecards
Chapter 10: Validating Rating Models
This chapter deals with rating system validation, including qualitative and quantitative validation concepts, emphasizing qualitative validation. For the exam, focus on the following:
- The best practices and elements of qualitative and quantitative validation
- The concepts of calibration and discriminatory power
Chapter 11: Assessing the Quality of Risk Measures
This chapter discusses model risk and model errors, with specific criticisms of the value at risk (VaR) model. Model risk and the related factors can cause variability in VaR estimates.
For the exam, focus on the following:
- Challenges associated with mapping risk factors to positions in making VaR calculations
- How incorrect mapping factors can understate certain risks including reputational, liquidity, market, and basis risk
- The two specific case studies on the failures in strategies during 2005 and 2007–2009 related to modeling errors and the underestimation of key risks
Chapter 12: Risk Capital Attribution and Risk-Adjusted Performance Measurement
This chapter talks about the application of the risk-adjusted return on capital (RAROC) approach to the allocation of economic capital. The application of a hurdle rate for capital budgeting decisions and an adjusted version of the traditional RAROC approach is also discussed.
For the exam, focus on the following:
- The differences between economic capital and regulatory capital
- Computation of RAROC for capital budgeting as well as adjusted RAROC
- The qualitative concepts, such as reasons for using economic capital to allocate risk capital, the benefits of RAROC, and best practices in implementing the RAROC approach
Chapter 13: Range of practices and issues in economic capital frameworks
This chapter expands on the concept of economic capital, i.e., the capital required to absorb unexpected losses for a given time horizon and confidence interval. For the exam, focus on the terminology and how this reading relates to the readings on market risk and credit risk to reinforce your understanding.
Chapter 14: Capital Planning at Large Bank Holding Companies: Supervisory Expectations and Range of Current Practice
To ensure the smooth functioning of bank holding companies (BHCs), the Federal Reserve’s Capital Plan Rule requires BHCs to implement an ongoing internal capital plan for thoroughly evaluating and improving their capital adequacy under stress scenarios on a firmwide basis.
For the exam, focus on the fundamental principles and key practices to develop and implement an effective internal control plan, including:
- Risk identifications
- Model valuation and review
- Oversight and governance
- Contingency planning
- Stress testing and scenario designing
- Loss estimation and projections methodologies
- Evaluating the impact of capital adequacy
Chapter 15: Stress Testing Banks
This chapter emphasizes the use of bank stress testing in determining if liquidity and capital are adequate. For the exam, focus on the following:
- Details of the 2009 Supervisory Capital Assessment Program (SCAP)
- The issue of coherence in stress testing
- Challenges with modeling the balance sheet using stress tests in the context of the stress test horizon
- Differences in disclosure between U.S. and European stress tests and the way that stress test methodologies and disclosure have changed since the 2009 SCAP
Chapter 16: Guidance on Managing Outsourcing Risk
This chapter examines the general risks arising from a financial institution’s use of service providers and the key elements of an effective service provider risk management program. For the exam, focus on the following:
- Three broad areas of due diligence
- Details from the numerous contract provisions that should be addressed with third-party service providers
Chapter 17: Management of Risks Associated with Money Laundering and Financing of Terrorism
This chapter talks about the Basel Committee’s recommendations for identifying, assessing, and managing the risks associated with money laundering and the financing of terrorism (ML/FT) through banks. The concept of customer due diligence (CDD) is vital as it focuses on the preventive steps a bank must take to ensure it knows the true identities of its customers. As many of the higher risk situations stem from international, cross-border transactions, much of the committee’s recommendations are on the risks associated with these activities. For the exam, focus on the following:
- Who bears the ultimate responsibility for customer identification and verification, even if a third party is hired to carry out CDD?
- The responsibilities of both the correspondent and respondent banks in a correspondent banking relationship
Chapter 18: Regulation of the OTC Derivatives Market
Post the 2007–2009 financial crisis, regulation of the over-the-counter (OTC) derivatives market was undertaken seriously to decrease the systemic risk caused by the contagion effect of defaults of financial institutions. For the exam, focus on the following:
- The OTC market-clearing process precrisis
- What regulatory changes were made to the OTC market-clearing process to reduce systemic risk, and the impact of these changes on the OTC market
Chapter 19: Capital Regulation Before the Global Financial Crisis
This chapter provides an overview of the international capital standards given by the Basel Committee on Banking Supervision. Basel I (1988) was the first attempt toward risk-weighting bank activities, on- and off-balance sheet, to relate required capital to risk. Basel I was the first to set capital to risk-weighted assets requirement, but it only factored in the credit risk, not market or operational risk. Basel II adopted a more advanced approach to measuring bank credit risk, market risk, and operational risk.
For the exam, focus on the following:
- The contribution Basel II makes to risk measurement
- The differences between the methods used to calculate various risks
- The difference between Basel II and Solvency II, a similar international standard for insurance companies
- The likely repercussions a firm will face if it breaches the standards
- Calculation of a bank’s required capital under the various regimes
One of the repeated themes in this chapter is the difference between a standardized approach for measuring risk, used by less complex banks (and insurance companies), and an internal approach that is firm-specific and more advanced but often lowers required capital because it permits banks to apply their model inputs and factors in the correlations between assets.
Chapter 20: Solvency, Liquidity and Other Regulation After the Global Financial Crisis
Post the 2007–2009 financial crisis, the Basel Committee on Banking Supervision implemented reforms to bolster bank capital. This chapter talks about the measures taken in Basel 2.5 and Basel III to augment capital and tighten the definition of what constitutes capital in normal periods, create buffers to safeguard banks against loss in stress periods and inspire banks to better manage liquidity risks by requiring banks to maintain liquidity coverage and net stable funding ratios. It also talks about the major reforms implemented since the 2007–2009 financial crisis that influence banks and bank regulation.
For the exam, focus on the following:
The major changes to capital regulation, including the incremental risk capital charge, the comprehensive risk capital charge, the stressed value at risk (VaR), the capital conservation buffer, and the countercyclical buffer
- Why banks may use less mainstream funding sources, such as contingent convertible bonds (CoCos), as a result of higher capital requirements
- Calculation of the leverage ratio, liquidity coverage ratio, and net stable funding ratio given a bank’s balance sheet
- Major reforms following the financial crisis, including the creation of the Financial Stability Oversight Council and the Consumer Financial Protection Bureau
Chapter 21: High-level summary of Basel III reforms
This chapter discusses the reforms to the revised Basel III framework that were announced in December 2017. The reforms relate primarily to credit risk and, to a lesser extent, to operational risk. For the exam, avoid getting bogged down in the details of the regulatory rules. Rather, focus on the big picture, including:
- A summary view of the reforms
- The motivation for those reforms
- The intended result of implementing those reforms
Chapter 22: Basel III: Finalising post-crisis reforms
This chapter focuses on the calculation of the standardized approach for measuring operational risk capital requirements. For the exam, focus on the following:
- How the business indicator (BI) is derived
- How buckets are used to group banks by size such that the BI will have a different impact on the standardized approach given a bank’s bucket
- How to calculate the internal loss multiplier and the loss component
- Basel Committee’s outline of general and specific criteria applicable to operational loss data
Chapter 23: The Cyber-Resilient Organization
This chapter discusses how organizations can improve their cyber resiliency. For the exam, your focus should be on the:
- Characteristics of a cyber-resilient firm
- Methods a firm can use to increase both its cyber and financial resilience
Chapter 24: Cyber-resilience: Range of practices
This chapter furnishes an overview of the different cyber-resilience practices in global jurisdictions and institutions’ threat preparedness. It also talks about the jurisdictional approaches to cyber-resilience guidance standards and evaluations of the varying governance and cyber-resilience practices.
For the exam, pay attention to the following:
- Various types of practices for the sharing of cybersecurity information between different types of institutions
- The range of practices for risk governance of third-party service providers
Chapter 25: Building the UK financial sector’s operational resilience
Supervisory authorities advocate the business services approach for improving operational resilience in the banking industry. For the exam, your focus should be on:
- The difficulties in maintaining operational resilience for business services of firms and financial market infrastructures (FMIs) in a dynamic environment that creates new challenges
- Definition and measurement of impact tolerances
- The best practices that relate to identifying, mapping, assessing, testing, investing, and communicating issues related to operational resilience
- The consequences of operational disruptions for consumers, market participants, and the overall economy, including systemic risk
Chapter 26: Striving for Operational Resilience: The Questions Boards and Senior Management Should Ask
This chapter discusses how to develop an effective operational resilience program. For the exam, your focus should be on:
- Forward-thinking concept of operational resilience versus the more traditional approaches of business continuity and disaster recovery
- The key benefits that may accrue to an organization that has an effective operational resilience framework in place